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(54) Method and apparatus for global roaming 

(57) The present invention relates to methods for 
providing access independent global roaming between 
heterogeneous networks. The invention solves this 
problem and provides policy enforcement and service 
transparency when terminals roam between different 
heterogeneous networks by; moving the policy enforce- 
ment point from the network into the terminal, regarding 
the transport mechanism between terminals and serv- 
ers as a packet pipe, adding no extra value except trans- 



port and Quality of Service classification thereof. The 
payment for access and services are separated and 
payment of access is paid in real-time by an anonymous 
payment method. By using the proposed method the ter- 
minal becomes more like a personal profile manager, 
managing rights to services and access. The ability to 
purchase access opens the possibility for the terminal 
to act as an e-commerce platform, and the subscriber 
can access any network any time since access is paid 
for in real time. 
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Description 

TECHNICAL FIELD OF THE INVENTION 

[0001] The present invention relates generally to 
methods for global roaming, and more particularly, the 
invention relates to a method for access independent 
global roaming. 

[0002] The invention also relates to a system for car- 
rying out the method. 

BACKGROUND OF THE INVENTION 

[0003] A large number of fixed and mobile access 
standards are now available, such as Wideband-Code 
Division Multiple Access (W-CDMA), Universal Mobile 
Telephone System-Time Division Duplex (UMTS-TDD), 
CDMA 2000, Wireless-Local Area Network (W-LAN), 
EDGE etc, all of which belong to the 3 rd generation wire- 
less standards. Each type of access standard has its 
own particular network concept; where Mobile Internet 
Protocol (Mobile IP) and the General Packet Radio 
Service (GPRS) tunnelling protocol are the main two 
concepts. The invention, however, is not limited to the 
above mentioned concepts. 

[0004] Interoperability between different network con- 
cepts is not guaranteed using methods presently avail- 
able. This is mainly due to three obstacles. First, there 
is a lack of common subscriber profiles, service stand- 
ards and authentication mechanisms, preventing policy 
enforcement in other networks. Second, there is a lack 
of common Quality of Service versus resource alloca- 
tion paradigm in the access networks due to a bottom 
up instead of a top down approach in designing the data 
link layers with respect to Quality of Service require- 
ments. Third, there is a lack of common higher layer 
standards in the terminals, preventing service transpar- 
ency when terminals roam between different networks 
that carry specific services. 

[0005] Thus, there is a problem with interoperability 
between heterogeneous networks mainly because of 
problems with authentication and service transparency 
in and between different networks. It is, of course, the- 
oretically possible to harmonise disparate networks at 
all of the above levels and thus creating interoperability. 
There is, however, a need for an organic way of inte- 
grating heterogeneous networks and thus provide for 
global roaming. 

SUMMARY OF THE INVENTION 

[0006] The present invention therefore provides a so- 
lution to the problems of integrating heterogeneous net- 
works and providing for access independent global 
roaming and access to services via heterogeneous net- 
works without need for harmonising disparate networks. 
[0007] An object of the invention is to provide access 
independent global roaming in heterogeneous net- 



2 

works. 

[0008] Another object of the invention is to provide 
policy enforcement (authentication) and service trans- 
parency when terminals roam between different heter- 
5 ogeneous networks. 

[0009] The invention achieves the above mentioned 
objects inter alia by: 

moving all service related functions out of the net- 
10 work into user terminals and servers, 

regarding the transport mechanism between termi- 
nals and servers as a packet pipe, adding no extra 
value except transport and Quality of Service clas- 
15 sification thereof, 

separating charging of transport from the charging 
of services and introducing real-time payment of 
transport, 

20 

defining policies, basically a set of rights and obli- 
gations, in a policy definition point, e.g. operator 
servers, and 

25 standardising and modularising a terminal architec- 
ture that supports the above entities. 

[001 0] More specif ically the policies defined in the pol- 
icy definition point are enforced locally in the user ter- 
30 minal in a local policy enforcement point instead of as 
usual in the network. By policies in this context is meant 
a set of rights and obligations pertaining to authentica- 
tion of users, authorisation to access and services as 
well as purchasing and brokering of access resources 
35 and security. Separate policies govern the charging 
functions for access charging and service charging. 
Transport can be paid for in real-time via a credit card, 
pre-paid card, cash card orthe like and services are paid 
for as usual e.g. as per invoice. 
40 [0011] The terminal thus acts more like a personal 
profile manager, enforcing policies, hence managing 
rights to services and access. Services and access are 
controlled in the terminal by the local policy enforcement 
point and the terminal/profile manager is access inde- 
45 pendent since access can be purchased in real-time. 
Thus, the subscriber can access any network at any 
time, considered the right modem is provided. 
[0012] By adopting the proposed solution, as de- 
scribed in the embodiments of the invention, global 
so roaming is possible between heterogeneous networks 
such as, CDMA 2000, W-LAN, EDGE and UMTS. The 
ability to purchase access also opens the possibility for 
the terminal to act as an e-commerce platform; i.e. the 
terminal can be used to purchase anything, not just ac- 
55 cess. 

[0013] The term transport used in this specification 
denotes both the access network and the core transport 
network, i.e. an access network such as CDMA 2000, 
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W-CDMA etc. and a core transport network, such as an 
IP-network. 

[0014] Although the invention has been summarised 
above, the method and arrangement according to the 
appended independent claims 1 and 13 define the 
scope of the invention. Various embodiments are further 
defined in dependent claims 2-1 2 and 14-19. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0015] The objects and advantages of the invention 
will be understood by reading the following detailed de- 
scription in conjunction with the drawings, in which: 

Figure 1 shows a schematic picture of the architec- 
ture for global roaming; 

Figure 2 shows an embodiment of an anonymous 
payment method; 

Figure 3 shows a detailed view of an embodiment of 
a local policy enforcement point; 

Figure 4 shows a detailed view of an embodiment of 
a secure mobile portal; 

Figure 5 is an exemplary signalling diagram illustrat- 
ing the signalling involved in a session set 

up; 

Figure 6 is a detailed view of an exemplary embod- 
iment of the terminal; and 
Figure 7 shows a mixed access scenario. 

DETAILED DESCRIPTION 

[0016] The various features of the invention will now 
be. described with reference to the figures, in which like 
parts are identified with the same reference characters. 
In the following description, for purpose of explanation 
and not limitation, specific details are set forth, such as 
particular circuits, components, techniques, etc. in order 
to provide a thorough understanding of the present in- 
vention. However, it will be apparent to one skilled in the 
art that the present invention may be practised in other 
embodiments that depart from these specific details. In 
other instances, detailed descriptions of well-known 
methods, devices and circuits are omitted so as not to 
obscure the description of the present invention. 
[001 7] The present invention describes a method and 
a system for providing access independent global roam- 
ing between heterogeneous networks and solves the 
problem with policy enforcement and service transpar- 
ency in and between different networks. The solution 
contains a number of salient features. 

1 ) A transparent packet pipe, interconnecting serv- 
ers and clients (terminals) on a Quality of Service 
basis, transporting packets. 

2) A policy definition point within a server cluster de- 
fining policies pertaining to access rights as well as 
rights to services. 



3) A policy enforcement point, enforcing policies de- 
fined in the policy definition point, moved out from 
the network into the client (terminal). 

5 4) Separate charging mechanisms for access and 
services. 

5) A transformation of the access node into a point 
of sale for access, offering transparent IP transport. 

10 

[0018] Thesolutionaccordingtotheinvention will now 
be further described in more detail with references to 
figures 1-7. 

[0019] Figure 1 shows a schematic picture of the ar- 
15 chitecture for global roaming according to the invention. 
The architecture can be divided into a service domain, 
shown in dark grey, and a transport domain, shown in 
light grey. 

[0020] The service domain, which covers the higher 
20 layers, consists of a server cluster called Secure Mobile 
Portal (SM P) 1 00 and a client, governed by a Local Pol- 
icy Enforcement Point (LPEP) 1 1 0 residing in the termi- 
nal (client) 120. A secure encrypted tunnel 130 connects 
the SMP 100 and the LPEP 110 in a Client-Server rela- 
25 tionship. This tunnel is enabled by the establishment of 
shared secrets between the SMP 100 and the LPEP 
110, contained in a policy, which is used to generate en- 
cryption keys for the IP packets. Since each Internet 
Protocol (IP) packet is encrypted with a unique key for 
30 every subscriber, i.e. a shared secret between the serv- 
ice provider and the subscriber, each packet received 
by the SMP 1 00 will be seen as a de facto authentication 
of the service buyer or subscriber by the service provid- 
er. 

35 [0021] The SMP 100 acts as a Policy Definition Point 
(PDP) for the LPEP 1 1 0 defining policies with respect to 
services, authentication of subscribers, authorisation to 
access and services, accounting, mobility and security 
for the subscriber. TheJ-PEP 110 residing in the client 
40 1 20 enforces the policies defined in the SMP 1 00. A fun- 
damental feature of the architecture is that charging for 
transport and services are separated and that transport 
can be paid for in real-time using for example a pre-paid 
card, credit card, a cash card or the like. Transactions 
■*5 jn the service domain are paid for as usual e.g. as per 
invoice. 

[0022] The transport domain, consisting of an IP 
based core network 140 and IP based access networks 
such as CDMA 2000-, EDGE-, W-LAN-, W-CDMA- or 
so fixed or cable networks, transport packets from the SMP 
1 00 to the LPEP 110. The Layer 1 and layer 2 part 150 
of the terminal 1 20 also belong to the transport domain 
and is preferably implemented as interchangeable mod- 
ules (modems) for different accesses such as W-CDMA, 
55 EDGE, CDMA 2000, W-LAN etc. The transport domain 
adds no value to the packets, except that it classifies the 
packets according to Quality of Service and transports 
the packets to the end destination, guaranteeing access 
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to physical resources where this is appropriate. 
[0023] The different access networks in the transport 
domain must have the appropriate interfaces and sup- 
port agreed on Quality of Service definitions, a so-called 
packet pipe. The packet pipe provides layer 1 and layer 
2 functions to convey packet data traffic across radio air 
interfaces. As part of the transport domain the access 
networks must also be able to process charging infor- 
mation since an important feature of the invention is that 
transport charging is independent of service charging. 
The transport domain must thus involve means for 
charging a subscriber for transport used, e.g. via a pre- 
paid card, credit card, cash card or other means, tt is 
not necessary that a subscriber is authenticated or au- 
thorised by a service provider before transport charging 
takes place. It is only necessary to validate the pre-paid 
card, credit card, cash card or the like, i.e. it is possible 
to implement anonymous payment methods for trans- 
port. Access providers can accept different types of pay- 
ment methods, for payment of transport; e.g. may some 
access providers accept all major credit cards and their 
own special cash card for paying for access to their net- 
works. This can be compared to when stores have a 
sticker on the entrance informing what credit cards they 
accept, 

[0024] In figure 2 is an exemplifying embodiment of 
an anonymous payment method shown. The terminal 
120 transmits a random access channel (in GSM typi- 
cally the RACCH) including payment information 200 to 
an access node 210. The payment information identifies 
the Credential Verifier (CV) 220 e.g. the issuer of a credit 
card or an access subscription, the identity of the sub- 
scriber in an encrypted form and the credit verification 
in an encrypted form, e.g. a credit card number. This 
information is received in the access node 210 which 
reads out the address to the CV 220 adds a transaction 
number to the user identity and credit verification and 
transmits that information 230 to the identified CV 220 
e.g. a MasterCard™ server. The CV 220 decrypts the 
packets sent from the access node 21 0 with unique keys 
for that particular subscriber and checks whether the us- 
er identity and the credit verification number are correct. 
In this way the subscribercan be uniquely identified and 
thus authenticated. If the relationship between the user 
identity and the credit verification is correct the CV 220 
transmits a message with the same transaction number 
and a positive acknowledgement 240 back to the access 
node 21 0. The access node then returns a message 250 
to a modem/router interface contained in the terminal 
containing an IP-address and a positive acknowledge- 
ment, granting access. The IP-address is stored in the 
modem/router interface and in the LPEP 1 1 0 and is also 
associated with a service requested by the subscriber 
in the service layers 260. 

[0025] The structure and operation of an exemplary 
embodiment of the LPEP 110 resident in the terminal 
120 will now be described in more detail with reference 
to figure 3 of the drawings. As discussed above the 
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LPEP 110 enforces policies with respect to authentica- 
tion of subscribers, authorisation to access and servic- 
es, accounting, mobility and security for the subscribers 
that the LPEP 110 serves. These policies are defined in 

s the Secure Mobile Portal (SMP) 100 that acts as a Policy 
Definition Point (PDP)forthe LPEP 110. Each LPEP 110 
has a set of policies associated with it and the relation- 
ship between the PDP and the LPEP 110 i.e. between 
the SMP 100 and the subscriber is uniquely defined by 

io these policies in the LPEP authorisation database 300. 
[0026] Each relation that the subscriber has with 
SMP's 100 or CV's 220 is defined with at least four pa- 
rameters 310. These are obligations, rights, a shared 
secret, i.e. a unique identity and an encryption key, and 

15 an IP-address to the SMP 100 or the CV 220. These 
relations are negotiated either in real time using public 
key infrastructure or by signing up for a service and re- 
ceiving the obligations, rights, shared secret and IP-ad- 
dress 310 to the SMP 100 or CV 220 by mail. 

20 [0027] The LPEP 110 is also responsible for authen- 
ticating the subscriber via e.g. a PIN-code or a finger- 
print reading. If the subscriber is authenticated he gains 
access to the LPEP 1 1 0. It is possible that the LPEP 11 0 
serves more than one subscriber, then the authentica- 

25 tion database 320 stores several subscribers 330 and 
their corresponding identification keys 340. The LPEP 
key 350 on the other hand is used for identifying the 
LPEP 1 1 0 to the SMP 1 00 or CV 220 and for encrypting 
the traffic between the LPEP 110 and the SMP 100 or 

30 CV 220. 

[0028] During a communication session the LPEP 
110 maintains an accounting log 360 containing ac- 
counting information 370 pertaining to the session, such 
as start time, stop time and service utilised. This ac- 

35 counting log 360 can be used by the SMP 100 for billing 
and auditing purposes. At completion of the session the 
LPEP 110 can forward the accounting log 360 to the 
SMP 100 and the SMP 100 replies in agreement or dis- 
agreement, i.e. compare the accounting log in the SMP 

40 100 with the one generated in the LPEP 110. Alterna- 
tively the accounting log 360 is transmitted from the 
LPEP 110 to the SMP 100 at regular intervals, such as 
at the end of the day. 

[0029] With reference now to figure 4 of the drawings 
^5 the structure and operation of an exemplary embodi- 
ment of the SMP 100 will be described in more detail. 
As discussed above, the SMP 100 defines policies with 
respect to authentication of subscribers, authorisation 
to access and services, accounting, mobility and secu- 
50 rityforthe subscribers that the SMP 100 serves. Thus, 
the SMP 100 contains an Encrypted Subscriber Regis- 
ter 400 carrying subscriber IP addresses or network ad- 
dress identifiers (NAI), e.g. N.N@telia.mob as well as 
encryption keys for each individual subscriber and serv- 
55 ice that the SMP 100 serves, to provide encryption, au- 
thentication and authorisation to the services provided. 
The SMP 100 also contains a Global Location Register 
(GLR) 410 indicating which access networks the sub- 
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scriber presently is residing (visiting) in. To be able to 
provide voice services theSMP 100 also contain a voice 
server 420 for providing e.g. voice over IP. The SMP 1 00 
can be seen as a server cluster providing both secure 
and non-secure services to the subscriber; secure serv- 
ices like e-commerce 430 Security alarms, Health care 
services etc. and non-secure services like web browsing 
440 and catalogue/information services 450. The SMP 
100 also contains a secure accounting server 460 for 
accounting and auditing of records. The SMP 100 can 
also update the policies in the LPEP 110. For example 
if the subscriber does not pay the invoices for a partic- 
ular service, that service can be barred. 
[0030] With reference now to the signalling diagram 
shown in figure 5 of the drawings the initiation of a ses- 
sion will be described in more detail. To initiate a session 
a subscriber 580 transmits an authentication request 
500 including subscriber 580 identity and a correspond- 
ing key e.g. a personal identification number (PIN) or a 
fingerprint reading, to gain access to the terminal and 
the rights of the LPEP 110. When the subscriber 580 
receives an authentication reply 505 indicating that the 
subscriber 580 is authenticated to use the terminal, a 
service request 510 is transmitted to the LPEP 1 1 0. The 
LPEP 110 decides on a suitable access depending on 
the service requested by the subscriber 580. Then an 
access request 515 is transmitted to the chosen access 
network 585 identifying the subscriber 580 and corre- 
sponding payment information 520, everything but the 
address to the Credential Verifier is encrypted by the 
LPEP key. The access network 585 reads the payment 
information and identifies the address to the CV 220, 
generates a transaction number and adds the payment 
information, i.e. the user identity in an encrypted form 
and the credit verification in an encrypted form, e.g. a 
credit card number, and transmits the message 525 to 
the CV 220. The CV 220 decrypts the message and if 
the relationship between the user identity and the credit 
verification is correct the CV transmits a message with 
the same transaction number and verifies the subscrib- 
er's credentials 530, to the access network. The access 
network 585 transmits access OK 535 together with an 
IP-address to the LPEP 110. The access network 585 
also transmits a message 540 to the SMP 1 00 indicating 
in what network the subscriber 580 now is residing in. 
The LPEP 110 then enacts 545 the requested service 
51 0 in the SMP 1 00 and the subscriber 580 and the SMP 
conducts a session 550. The LPEP 110 and the SMP 
100 monitors 555 all transactions between the LPEP 
1 1 0 and the SMP 1 00 for accounting purposes. To end 
the session the subscriber 580 transmits an end session 
message 560 to the LPEP 110 that transmits an end 
session message 565 to the SMP 100. When the ses- 
sion has ended the LPEP 110 sends accounting infor- 
mation 570 to the SMP 100 that compares it with the 
accounting information generated in the SMP 1 00 and 
sends a positive or negative accounting confirmation 
575 back to the LPEP 1 1 0. 



[0031] With reference now to figure 6 embodiments 
and functions of the terminal will be described in more 
detail. The terminal is basically separated into three 
parts, an access part, a control part and a service part. 

5 The access part contains a number of access options 
(modems) 600a-c. These access options can physically 
be located in the terminal itself or in someone else's ter- 
minal or be a Bluetooth™ interface connecting to remote 
modems e.g. in the subscriber's briefcase. The service 

io part contains a user interface and applicable application 
programming interfaces (API's) for the services. The 
control part contains a policy enforcement engine 610 
and a policy repository 620. 

[0032] The terminal also contains a layer 2 IP switch 
15 630 and a layer 3 IP router 640 between the modems 
600a-c and the applications interface 650. This enables 
the user 660 the possibility to have several information 
flows between applications 670 and modems 600a-c ac- 
tive at the same time. For example can a voice over IP 
20 data flow be maintained through a W-CDMA network, 
at the same time as a multimedia flow is maintained 
through a W-LAN network, while the terminal at the 
same time is receiving a best effort flow from another 
terminal, through a Bluetooth™ modem. This possibility 
25 to route a plurality of data flows from a plurality of mo- 
dems 600a-c is possible because of the included layer 
2 IP switch 630, and layer 3 IP routing 640. This embod- 
iment also makes it possible for the terminal to hand 
over a communication session from one communica- 
30 tions network to another, by re-routing the data flow from 
one modem port to another, 

[0033] The access discovery function 680 of the ter- 
minal is continuously active, scanning the surroundings 
for access possibilities and generates a record of all 
35 available access possibilities. The access selection 
function 690 is responsible for requesting access and 
presenting credentials to the desired access network 
depending on the service requested from the service 
layers and also for preparing to interconnect with the 
40 chosen access network. 

[0034] The policy enforcement engine 610 and the 
policy repository 620 in the control part connect the mo- 
dems 600a-c in the access part with the user 660 and 
the API's in the service part. More specifically the policy 
45 enforcement engine 610 in the control part has the re- 
sponsibility for a variety of tasks such as authenticating 
the user 660 to the terminal, authorising the user 660 to 
services and collecting accounting data. These and oth- 
er tasks will be further described in relation to figure 7. 
50 [0035] The policy repository 620 of the terminal can 
be seen as a database containing the subscribers rela- 
tionship to access providers, service providers as well 
as individual clients, i.e. the obligations, rights, shared 
secrets and addresses to credential verifiers or SMP's. 
55 These relationships can be varying and sometimes ex- 
tremely complex. 

[0036] Some service providers may e.g. have a hier- 
archical relation between different aspects of its service. 
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For example might a special access network or a special 
gateway need to be used or passed before a particular 
service can be executed and maybe as a last item a 
trusted relationship will be enacted for a particular ses- 
sion. Other service provider might be non-hierarchical, 
which means that the different services are open and 
enacted at the same level, e.g. any access network may 
be used. 

[0037] A subscriber may have a relationship to many 
different structures, hierarchical and flat. All these rela- 
tionships are reflected in the policy repository 620. Each 
relationship the user 660 or subscriber would like to en- 
ter into is defined using at least four parameters. These 
are rights, obligations, shared secret, and address to 
credential verifier or SMP, creating a policy block. The 
policy repository 620 contains several policy blocks de- 
fining the relationships that exists between the user 660 
and different service providers as well as individuals. A 
coupling matrix is defined between these policy blocks 
defining their hierarchical relationship. If the coupling 
coefficient is zero there is no relationship and if the cou- 
pling coefficient is one the preceding policy block is high- 
er in the hierarchy. 

[0038] The policy repository 620 can be accessed 
from outside 695 of the terminal providing the user has 
opened the policy repository 620 by e.g. a personal 
identification code, a fingerprint reading or other means. 
Then a service provider can update their policy block 
and relevant coupling coefficients . Once the service pro- 
vider has entered its policies into the policy repository 
620 these can be updated at will by the service provider 
providing such an agreement exists. If no such agree- 
ment exists the subscriber must open the policy repos- 
itory 620 every time before changes can be made. 
[0039] The policy enforcement engine 610 thus en- 
forces policies defined in policy repositories 620. This 
implies e.g. that rental cars, hotel rooms etc. can be pro- 
vided with policy enforcement engines 610 executing 
the policies in a user's or visitor's policy repository 620. 
The communication between the policy enforcement 
engine and the policy repository is preferable done by 
a suitable wireless interface, e.g. Bluetooth™. Both the 
policy enforcement engine 61 0 and the policy repository 
620 is preferably implemented as computer programs 
on a suitable media, e.g. smart cards together with a 
suitable wireless access product such as Bluetooth™. 
Other implementations are of course possible, e.g. in- 
tegrated circuits, a circuit board in th'e terminal or as a 
separate circuit board that can be inserted into any ap- 
propriate terminal. 

[0040] With reference now to figure 6 and 7 the tasks 
of the control part of the terminal will be described in 
more detail together with a mixed access scenario. Sup- 
pose that the access possibilities consists of several dif- 
ferent networks, such as W-CDMA 700, EDGE 705, 
GPRS 710, CDMA-2000 715, W-LAN 720 or Fixed or 
Cable 725 and that the transport network is an IP based 
core network 730. To gain access to the functions of the 
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terminal and the policy enforcement engine 61 0 and pol- 
icy repository 620 the user 660 must be authenticated. 
Thus an authentication request is transmitted to the pol- 
icy enforcement engine 61 0 that checks the authentica- 
5 tion with the relevant policy blocks in the policy reposi- 
tory 620. When the user 660 is authenticated all the 
rights and obligations associated with the user in the pol- 
icy repository 620 are open. 

[0041] The access discovery function 680, which is 

io continuously active, has scanned all available access 
networks and found the above mentioned access pos- 
sibilities 700-725 and made a record of what is available. 
The user 660 now e.g. wants to initiate a web-service 
and thus via the applications interface 650 agree on pa- 

15 rameters, i.e. a Quality of Service parameter for the ses- 
sion, e.g. the transmission rate. The applications inter- 
face 650 thereafter asks the policy enforcement engine 
61 0 to enact the requested web-service, with the spec- 
ified Quality of Service parameter for that session. The 

20 policy enforcement engine 61 0 then collects data from 
the policy repository 620 and the access selection func- 
tion 690 to set up a channel that complies with the 
agreed parameters and the requested service and 
thereafter activates the connection. 

25 [0042] If the user 660 doesn't have a subscription to 
the requested network, the policy enforcement engine 
61 0 presents credentials to the appropriate access sup- 
plier as described above in relation to figure 2. The cre- 
dentials can e.g. be a credit card accepted by the access 

30 supplier. The policy enforcement engine 610 then 
launches the requested web-service according to the 
policies in the policy repository 620. The policy enforce- 
ment engine 610 tracks data exchanged during the ex- 
ecuted web-service according to policies for accounting 

35 and verification purposes. Then the policy enforcement 
engine 61 0 disconnects the application 670 and assem- 
bles the accounting data. 

[0043] Another possibility occurs if the terminal 
doesn't have the appropriate modem 600a-c for the best 

40 access network. Imagine for example that the GPRS 
network 710 is most suitable for the requested web- 
service but the user terminal only has a W-CDMA inter- 
face. The solution is the Bluetooth™ modem 740 a-b 
attached to the terminal, which makes it possible to use 

45 the modems 600a-c of a neighbouring terminal. The 
Bluetooth™ modem 740a-b in the neighbouring termi- 
nal then acts as an access point or bridge to access a 
GPRS modem belonging to the other terminal. 
[0044] The invention being thus described, it will be 

so obvious that the same may be varied in many ways. 
Such variations are not to be regarded as a departure 
from the scope of the invention, and all such modifica- 
tions as would be obvious to a person skilled in art are 
intended to be included within the scope of the following 

55 claims. 
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Claims 

1 . A communication system for providing access inde- 
pendent roaming including at least two communica- 
tion networks being mutually heterogeneous, at 
least one terminal for exchanging information with 
at least two communication networks being mutu- 
ally heterogeneous, at least one policy definition 
point forming a client-server relationship with said 
at least one terminal, at least one policy enforce- 
ment point enforcing policies defined in said policy 
definition point 

characterised in that 

said at least one policy enforcement point is located 
in said at least one terminal. 

2. A communication system according to claim 1, 
characterised in that said policy definition point in- 
cludes means for defining policies pertaining to 
services, authentication, authorisation and ac- 
counting. 

3. A communication system according to claim 1, 
characterised in that said policy enforcement point 
includes means for enforcing policies pertaining to 
services, authentication, authorisation and ac- 
counting. 

4. A communication system according to claim 1, 
characterised in that said client-server relationship 
is realised by a transparent packet pipe transporting 
and classifying packets according to Quality of 
Service. 

5. A communication system according to claim 1, 
characterised in that said at least one terminal sup- 
ports several simultaneously ongoing independent 
client-server relationships. 

6. A communication system according to claim 1 , 
characterised in that said policy decision point in- 
cludes means for enacting policies in other service 
clusters than its own. 

7. A communication system according to claim 1, 
characterised in that said policy enforcement point 
includes means for enforcing a plurality of policies 
emanating from a plurality of networks and service 
providers. 

8. A communication system according to claim 1, 
characterised in that said policy definition point is 
implemented by software code means. 

9. A communication system according to claim 1, 
characterised in that said policy enforcement point 
is implemented by software code means. 



10. A communication system according to claim 1, 
characterised in that said policy definition point in- 
cludes a global location register indicating in what 
access network said at least one terminal is residing 

s in. 

11. A communication system according to claim 1, 
characterised in that said policy definition point fur- 
ther includes a subscriber database including 

io means for storing subscriber IP addresses and en- 
cryption keys for each of said subscribers. 

12. A communication system according to claim 1, 
characterised in that said communication system 

'5 includes a credential verifier providing means for 
anonymous payment of access for at least one of 
said mutually heterogeneous networks. 

13. A method for global roaming in a communication 
20 system including at least two communication net- 
works being mutually heterogeneous, at least one 
terminal for exchanging information with at least two 
communication networks being mutually heteroge- 
neous, at least one policy definition point forming a 

25 client-server relationship with said at least one ter- 
minal, 

the method characterised by 
enforcing policies defined in said policy definition 
point in a policy enforcement point in said at least 
30 one terminal. 

14. The method of claim 1 3, characterised by defining 
policies in the policy definition point pertaining to 
services, authentication, authorisation and ac- 

35 counting. 

15. The method of claim 13, characterised by enforc- 
ing policies in said policy enforcement point defined 
in said policy definition point pertaining to services, 

40 authentication, authorisation and accounting. 

16. The method of claim 13, further characterised in 
that said client-server relationship is provided by 
transporting and classifying packets according to 

45 Quality of Service. 

17. The method of claim 13, further characterised in 
that the policy definition point is defining policies in 
other server clusters than its own. 

50 

18. The method of claim 13, characterised by storing 
in said policy definition point in a global location reg- 
ister in what access network said at least one ter- 
minal is residing in. 

55 

19. The method of claim 13, characterised by storing 
in said policy definition point subscriber IP address- 
es and encryption keys for each of said subscribers. 
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